pci and how it affects college stores… robin mayo | pcip ecommerce manager east carolina...
TRANSCRIPT
PCI and how it affects College Stores…
ROBIN MAYO | PCIP
ECOMMERCE MANAGER
EAST CAROLINA UNIVERISTY
Agenda
What is PCI Accepting Payment Cards Securing and Segmenting Device Tampering Other PCI requirements What NOT to do What’s New Q&A
PCI – Payment Card Industry
Set of policies and standards created by card brands to ensure the security of payment card data
Merchants must adhere to PCI requirements and remain compliant or merchant status can be revoked
Fines – up to $500,000 per card brand, all fraud losses, cost of re-issuing cards, consumer fraud monitoring expenses
Accepting payment cards
Prior to contracting with any vendor for software, hardware or services that involves credit/debit card payments, you should work with your campus to: verify the vendor is PCI compliant
verify the software is PA-DSS compliant
verify the hardware is PCI compliant and compatible with your acquirer
document in your contract which requirements you and/or the vendor will be responsible (PCI Req 12.8.5)
secure and segment workstation/register – this includes networked printers utilized by your PCI workstations/registers
Securing and Segmenting
Workstations, registers, computers, etc. that process, store or transmit cardholder data should be segmented from the rest of your network within your campus’ PCI firewall
Designated PCI workstations should: Only have one purpose – software that processes transactions
all other software/functionality should be removed from workstation
Not have email or instant messaging
Not have internet access except for that needed to process transactions
Should only be able to print to local printers (connected directly to workstation) or to a networked printer that is also segmented within your PCI firewall
Servers associated with your workstations/software should also be segmented Remote access to your PCI designated servers or workstations must utilize 2
factor authentication
Segmenting and Scope Example
Registers
On campus servers
Firewall
Internet –
approved IPs only
PCI Firewall
PC
I Fire
wallP
CI
Fir
ew
all
PCI Firewall
Printers
Device Tampering
Train staff to inspect devices daily or at the beginning of their shift for tampering
Inspection should include the following: Verifying device is in the appropriate location
Make/model are correct
Colors, labels, etc. are the same as usual
Verify stickers and labels on devices have not been compromised
Look for scratches or marks on device
Cords/cables connected to device are the same color/type as usual
Also inspect the general vicinity to look for any unusual electronic devices, cameras or new displays
Device Tampering - examples
https://www.pcisecuritystandards.org/documents/Skimming%20Prevention%20BP%20for%20Merchants%20Sept2014.pdf
Device Tampering - examples
https://www.pcisecuritystandards.org/documents/Skimming%20Prevention%20BP%20for%20Merchants%20Sept2014.pdf
Other important PCI requirements
Training – employees and volunteers who process transactions or handle card holder information must be trained upon hire and annually
Criminal Background checks – should be completed for all staff who can access more than one card number at a time or impact the security of your cardholder data environment (for others it is a good practice but not required)
Terminated employees – immediately revoke physical and electronic access for employees who leave under bad circumstances, are suspended or under investigation; employees who leave under good terms should have their access revoked within a reasonable time frame
Sensitive areas – you should control access to sensitive areas and limit access to as few employees as possible
Passwords – should be a minimum of 7 characters and include alpha and numerical
It is a good habit NOT to…
…Email cardholder data
…Allow faxes with cardholder data to a copier/fax on network (analog fax machines only PCI)
…Store full card numbers electronically
….Store full card numbers(hard copies) after processing unless you have a documented business need
…Process any payments or allow others to submit transactions on computers in your department unless it has been approved and those computers have been secured for PCI
…Process transactions on mobile/wireless devices (Wi-Fi is NOT always secure)
…Surplus/trash old credit card terminals/devices – your campus should have a method to have these destroyed securely
First & Last 4 digits are safe to store electronically and hard copy
What’s changing…
New requirements PCI DSS v 3.1 - effective April 2015 EMV chip cards – Oct 2015 Contactless (NFC) – Apple Pay P2PE – Point to Point Encryption
Questions???
